Pentagon wraps up new acquisition rules to protect weapons from cyberattacks

WASHINGTON (Reuters) - The U.S. Defense Department is taking
aggressive action to bolster the security of U.S. weapons systems
against cyberattacks, including issuing new rules for
acquisitions that will be finalized in coming months, officials
told Reuters.

In addition to the acquisition policy, the department is
producing a guidebook to help program managers assess the cost
and risk tradeoffs in structuring new weapons programs and making
them more secure, said Assistant Secretary of Defense Katrina
McFarland.

Both documents should be completed in the fourth quarter of this
fiscal year, which ends Sept. 30, McFarland told Reuters in an
interview this week. She said officials were reviewing the
documents to avoid inadvertently pointing would-be attackers to
possible vulnerabilities.

Chief U.S. arms buyer Frank Kendall said this month cyberattacks
on U.S. weapons and manufacturers are a "pervasive" problem that
requires greater attention.

In January, the department's chief weapons tester told Congress
that nearly every U.S. arms program showed "significant
vulnerabilities" to cyberattacks, including misconfigured,
unpatched and outdated software.

Increased focus on cybersecurity could create opportunities for
Lockheed Martin Corp, General Dynamics Corp and other suppliers
that do cybersecurity work for the Pentagon.

"The threat is very, very serious," Terry Halvorsen, the
Pentagon's chief information officer, told Reuters. "We are
taking very aggressive action to counter those threats."

Halvorsen cited what he called constant, growing and increasingly
sophisticated threats from criminals, extremist groups and
foreign governments. He said cyber warfare offered attackers the
possibility of doing great harm for little cost.

He said the Pentagon was also evaluating the risk of so-called
insiders sabotaging weapons systems and had taken some
"preemptive actions" to guard against that.

McFarland said all major U.S. weapons programs had been reviewed
for cyber vulnerabilities. New programs like the Air Force
long-range bomber - to be awarded this summer - would benefit
from getting the best protections from the start.

The new measures follow a change in federal defense acquisition
rules announced last November that require Pentagon contractors
to incorporate established security standards on the unclassified
networks that they use to communicate with suppliers, and to
report any cyberattacks that result in the loss of technical data
from those networks.

Those standards had already been in place for classified
networks.

Halvorsen said some weapons systems and sectors were particularly
targeted by hackers, but gave no details.

He and McFarland declined to say if U.S. government networks or
those of private companies had suffered any attacks similar to
the attack that damaged some 30,000 computers at Saudi Arabia's
national oil company in 2012.

Admiral Mike Rogers, director of the National Security Agency and
head of U.S. Cyber Command, told lawmakers this week the United
States was at a tipping point and needed to step up its offensive
cyber capabilities.

McFarland said the guidebook would ensure that program managers
and acquisition officials did a better job sharing data about
potential threats to avoid falling prey to the same malicious
software twice.